APT32 attacks on Chinese government (2020)
|Date||From at least January to April 2020.|
|Suspected actor||Hacking group APT32 (also known as OceanLotus or APT-C-00), allegedly working for the Vietnamese government. Vietnam has denied all allegations as groundless.|
|Victims||Various Chinese public authorities, including China’s Ministry of Emergency Management and the government of Wuhan province. In addition, the operation also allegedly affected Chinese-speaking individuals who were interested in COVID-19.|
|Target systems||Computers belonging to the Chinese government and affected Chinese-speaking individuals.|
|Method||1. Sending phishing emails with tracking links. APT32 sent emails with embedded tracking links to China’s Ministry of Emergency Management using the sender address. The embedded link contained the victim’s email address and code to report back to the actors if the email was opened.
2. Using a decoy document. APT32 likely used COVID-19-themed malicious attachments against Chinese-speaking targets. While the full execution chain has not been uncovered, FireEye uncovered a Metaljack loader displaying a Chinese-language titled COVID-19 decoy document while launching its payload. The shellcode payload collected system information and appended it to URL strings, and if successfully called, it loaded Metaljack into memory.
|Purpose||Cyber espionage which was allegedly designed to collect intelligence on the COVID-19 crisis.|
|Result||It is unclear if the intrusion attempts in China were successful. Confidential COVID-19 related state and government data may have been compromised. Additional trojans and malware infections may also have been installed, allowing data exfiltration in the future.|
|Aftermath||It is unclear whether the APT32 intrusions have usefully contributed to the Vietnamese government’s public health response. In any case, Vietnam has denied all allegations as groundless.|
|Analysed in||Scenario 02: Cyber espionage against government departments|
Collected by: Wei Xinyu
- Scott Henderson, Gabby Roncone, Sarah Jones, John Hultquist, Ben Read, Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage, 22 April 2020, Mandiant.com
- Carl Thayer，Did Vietnamese Hackers Target the Chinese Government to Get Information on COVID-19? , 4 May 2020, the Diplomat.
- Embassy of the Socialist Republic of Vietnam in the United States of America, FIREEYE'S GROUNDLESS STATEMENT ON VIET NAM ASSISTED THE APT32 HACKER GROUP, 24 April 2020.
- Jack Stubbs, Raphael Satter, Vietnam-linked hackers targeted Chinese government over coronavirus response: researchers, 22 April 2020, Reuters.com.
- CISOMAG, Vietnam’s APT32 Group Uses COVID-19 to Target Chinese Health Authorities, 27 April 2020, cisomag.com.
- Ankit Panda, Offensive Cyber Capabilities and Public Health Intelligence: Vietnam, APT32, and COVID-19, 24 April 2020, The Diplomat.